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ABSTRACT 

This  note  extends  briefly  the  integer  transforms  of  C.  M.  Rader  (1972) 
to  transforms  over  finite  fields  and  rings.  These  transforms  have 
direct  application  to  digital  filters  and  make  possible  digital  filtering 
without  round-off  error.  In  some  cases,  the  parameters  of  such 
number-theoretic  transforms  can  be  chosen  so  that  substantial  re- 
ductions in  hardware  are  possible  over  what  would  be  needed  using 
classical  digital  filtering  techniques. 
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SUMMARY 


This  note  reports  briefly  on  material  found  for  utilizing  finite  fields  and  rings 
to  compute  convolutions  of  finite  sequences  of  integers.  The  methods  described 
generalize  the  integer  transform  methods  of  Rader  to  similar  transforms  over 
finite  fields  and  rings. 

Some  fundamentals  of  finite  or  Galois  fields  GF(pn)  are  informally  introduced. 

Then,  following  Pollard,  d-point  Fourier-like  transforms  are  defined  and  shown 

to  be  the  only  linear  transforms  in  GF(pn)  with  the  circular  convolution  property. 

3 

This  generalizes  to  Galois  fields  a result  due  to  Agarwal  and  Burrus  for  the 
convolution  of  integer  sequences. 

Since  the  set  G(p)  of  integers  modulo  a prime  number  p is  always  a subfield  of 
GF(pn),  d-point  transforms  over  GF(pn)  can  be  utilized  to  compute  the  transform 
of  a sequence  of  integers  {a^,  a^,  . . . a^}  where  a^  lies  in  the  range  — [(p  — l)/2]  ^ 
a^  ^ (p  — l)/2.  As  a consequence,  the  circular  convolution  of  two  such  sequences 
can  be  computed  using  d-point  transforms  over  GF(pn). 

An  interesting  special  case  occurs  if  n = 2 and  q is  a Mersenne  prime  of  form 

q = 2^—1,  where  p is  a prime.  For  this  case,  GF(q2)  is  shown  to  mimic  the 

2 

complex  numbers.  That  is,  all  elements  of  GF(q  ) are  of  the  form  a + ib  where 

2 

a,  beGF(q),  and  i satisfy  the  equations  x +1  = 0. 

2 

The  d-point  transforms  of  GF(q  ) are  shown  to  be  candidates  for  computing  con- 
volutions of  two  sequences  of  complex  integers.  Since  d,  the  number  of  points  in 
the  transform,  must  divide  the  order  q^  — 1 = 2P+*(2P"1  — 1)  of  the  multiplicity 
subgroup  of  GF(p  ),  the  number  of  points  in  a transform  over  GF(q  ) can  be 
chosen  to  be  a power  of  2.  Thus  one  can  utilize  the  fast  Fourier  transform  (FFT) 
algorithm  to  compute  convolutions  of  complex  numbers  without  round-off  error. 

2 

In  the  last  section  of  this  note,  a theorem,  stated  by  Pollard  on  transforms 
over  a ring  of  integers  modulo  m,  is  examined.  This  leads  to  the  notion  of  the 
modular  arithmetic  transform.  The  Chinese  remainder  theorem  is  used  to  map 
modular  arithmetic  transforms  into  the  transforms  of  integers  modulo  m. 
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THE  USE  OF  FINITE  FIELDS  AND  RINGS  TO  COMPUTE  CONVOLUTIONS 


L INTRODUCTION 

Recently  C.  M.  Rader  showed  in  Ref.  1 that  the  convolution  of  two  finite  sequences  of  integers 
(a^)  and  (b^)  for  k = 1,  2,  . . . , d can  be  obtained  as  the  inverse  transform  of  the  product  of  two 
transforms  which  were  other  than  the  usual  discrete  Fourier  transform  (DFT).  Rader  defined 
transforms  of  the  form 

d-1 

A.  = y.  a 2nk  Mod  b (1) 

k u n 

n=0 

where  b was  either  a Mersenne  number 


b = 2^  — 1 , p a prime 

or  b was  the  Fermat  number 


^ III 

b = 1 + 2 , m an  integer 

The  primary  advantage  of  the  above  Rader  transform  over  the  discrete  Fourier  transform, 


F 


k 


d-1 

Z 

n=0 


a w 
n 


nk 


(2) 


where  w is  a d^*1  root  of  unity,  lies  in  the  fact  that  the  multiplications  by  powers  of  w are 
replaced  in  binary  arithmetic  by  simple  shifts.  Of  course,  this  advantage  must  be  weighed 
against  the  difficulties  of  computing  the  answer  modulo  b and  of  the  numeric  constraints,  relat- 
ing word  length,  length  of  sequence  d and  compositeness  of  d,  imposed  by  the  above  two  choices 
for  b,  suggested  by  Rader.  Our  purpose  here  is  to  review  the  Rader  transform  first  by  enlarg- 
ing the  class  of  transforms,  given  by  (1),  and  second  by  presenting  more  details  of  the  computa- 
tional algorithm  for  computing  such  a convolution  with  (1). 

In  the  next  section,  the  class  of  transforms  given  by  (1)  is  increased  to  include  a Fourier- 

type  transform  over  an  arbitrary  finite  field,  the  Galois  field.  Such  a generalization  has  been 

2 3 

discussed  recently  by  J.  M.  Pollard  in  1971,  but  also  much  earlier  by  Reed  and  Solomon  in 

19  59  in  a somewhat  different  context.  The  approach  used  here  will  follow  the  more  explicit 

approach  of  the  earlier  reference. 


II.  DFT  ON  A GALOIS  FIELD 

The  only  finite  fields  are  the  Galois  fields.  The  number  of  elements  in  a Galois  field  is  pn 
where  p is  a prime  number  and  n is  a positive  integer.  To  construct  a Galois  field  GF(pn), 
one  must  first  find  an  n^  degree  polynomial  p(x)  over  GF(p)  which  is  irreducible.  The  elements 
of  GF(pn)  are  then  all  polynomials  of  the  form 

n-1 

f(of)  = Yj  fi«L  * f . cGF(p)  , (i=  0,1,  2,  ...n-1) 

i=0 


1 


where  cv  is  a root  of  p(x),  i.e.,  p(cv)  = 0.  The  product  h(o  ) of  two  elements  say  f(o  ) and 
g(cv ) in  GF(pn)  is  the  residue  of  f(x)  g(x)  modulo  p(x)  with  q substituted  for  x.  That  is, 
h(cv ) is  found  by 

h(x)  = f(x)  g(x)  Mod  p(x) 

where  x = cv.  Similarly,  the  sum  s(cv)  is  found  by 
s(x)  = f(x)  + g(x)  Mod  p(x) 

where  x = cv.  By  taking  the  sums  and  products  of  all  polynomials  f(cv)  in  this  manner,  the  addi- 
tion and  multiplication  tables  of  the  elements  of  GF(pn)  can  be  found.  Let  this  be  illustrated  by 
the  following  example. 


Example  1 

Consider  the  integers  modulo  3.  This  is  the  prime  field  or  GF(3)  = { 0,  1,  2 j where  2 = 1. 

Let 

2 

p(x)  = x + x + 2 

Since  p(0)  = 2,  p(l)  = 1,  and  p(2)  = 2,  p(x)  is  irreducible  over  the  coefficient  field  GF(3).  A root 
to  p(x)  = 0 can  only  be  found  in  some  field  containing  GF(3),  some  extension  field.  If  cv  is  such 
a root,  then  cv  satisfies 


p(cv)  = cv  + cv  + 2 = 0 

2 2 

Starting  with  the  element  cv,  one  computes  cv  by  computing  x Mod  p(x)  as  follows: 


x + x + 2 I x 


x + x + 2 
-x  2 


This  -x  — 2 = 2x  + 1 is  the  residue  of  x + x + 2,  and 


2 ox, 

cv  = 2cv  + 1 

2 3 

is  the  reduced  expression  for  cv  . Similarly,  one  can  compute  cv  by  computing  the  residue  of 
(x)  (xz)  = (x)  (2x  + 1)  = 2xZ  + x,  i.e., 


x2  + x + 2 


2 


+ x 

+ 2x  + 1 
2x  + 2 


Thus 


a3  = 2a  + 2 

Continuing  in  this  manner  one  gets  the  results  shown  in  Tabic  1. 


TABLE  1 

THE  NON-ZERO  ELEMENTS  OF 

GF(32) 

2 

3 

4 

5 

6 

7 

8 

cv 

cv 

cv 

cv 

cv 

cv 

cv 

cv 

cv 

2cv  + 1 

2cv  + 2 

2 

2cv 

a + 2 

cv  + 1 

1 

2 


In  this  particular  ease,  a and  its  powers  a (for  i = ,1,  2,  . . . , 8)  generate  the  eight  non-zero 
2 

elements  of  GF(3  ).  If  an  element  a and  its  powers  generate  the  non-zero  elements  of  a field, 

» is  ealled  a primitive  element.  If  a is  a primitive  element,  and  a root  of  p(x),  whieh  it  is  in 

this  example,  then  the  relation  p(a)  = 0 ean  be  used  to  eompute  the  non-zero  elements  of  GF(pn). 

2 

This  is  done  for  this  example  as  follows:  p(a)  = 0 is  the  relation  a + a + 2 = 0.  Solving  for 

a , yields 

a = 2a  + 1 


Then 

3 2 2 

a = a(a  ) = a(2a  + 1)  = 2a  -fa 

= 2(2a  + 1)  + a = 2a  + 2 , 

and  so  forth,  thereby  obtaining  Table  1. 

The  above  example  illustrates  the  following  faets  about  a Galois  field.  All  the  elements  of 
GF(pn)  satisfy  the  equation 


n 

p 

x*  - x 

There  exists  a primitive  element  aeGF(pn)  whieh  generates  the  non-zero  elements  of  GF(pn) 

The  non-zero  elements  GF(pn)  eompose  a eyelie  group. 

In  general,  there  always  exists  an  aeGF(pn)  sueh  that  GF(pn)  is  the  set  {o,  a,  a^#  . . . 
n , 

n_ 2 p -1 

* a }.  a is  ealled  (pn  — l)-th  root  of  unity. 

1 

It  in  (1),  b is  a prime  p,  then  the  Rader  transform  ean  be  regarded  as  a mapping  of  a 
subset  of  GF(p)  into  GF(p).  To  see  this,  consider  the  mapping 


(3) 


d-1 

A(x)  = £ 

k=0 


a^x  Mod  p 


(4) 


Then  the  elements  of  the  subset 

{ 1,  2,  22,  ..  . 2d_1}  Mod  p 
of  GF(p)  have,  successively,  the  images 

{A(l),  A(2),  A(22) A(2d'1)}  Mod  p 

also  a subset  of  GF(p)  where  a^eGF(p).  Hence,  A(x)  as  given  by  (4)  is  a mapping  of  a subset  of 
GF(p)  into  GF(p).  A(x)  is  called  a polynomial  mapping. 

More  generally,  let  a^  and  x be  elements  of  an  arbitrary  Galois  field,  say  GF(pn),  and  con- 
sider the  mapping  of  subset  of  d distinet  non-zero  elements 

°d=  {VTi’---Td-i}  vGF<pn> 

into  GF(pn)  with  the  polynomial  mapping 

d-1 

A(x)  = Yj  a^xk  * * 

k=0 


3 


This  is  the  most  general  possible  mapping  of  GF(pn)  into  GF(pn)  (see  Ref.  3).  This  mapping 
can  be  displayed  as  a system  of  linear  equations  in  the  coefficients  a^_  as  follows. 


A(t1)  = 
A(t2)  = 


+ alTl 


+ aiT2 


+ a2Tl 


+ a2T2 


+ 


+ 


a,  . r 
d-1 


A(t  ,)  = a + a.T,  + a0T  , + . . . a , . t , 
o o Id  2d  d-1  d 

This  system  can  be  written  further  in  matrix  form  as 

A = T a 

where  a and  A arc  the  column  matrices 


d-1 


(6) 

(7) 


a 

o 

' A(t1)' 

ai 

and  A = 

A(t2) 

. 

. 

Vi. 

_A(rd)_ 

and 


T = 


2 d-1 

1 


1 r2'  t2  ' * * # 7 2 


d-1 


T ,,  T , , 

d d 


d-1 

rd  J 


is  a d X d matrix  of  elements  in  GF(p  ). 

By  (7)  the  polynomial  mapping  (5)  can  also  be  regarded  as  a linear  mapping  of  the  vector  a 
onto  vector  a vector  A.  Such  a mapping  is  one  to  one  or  is  invertible  if  matrix  T has  an  inverse, 
that  is,  if  the  determinant  |T|  of  T is  non-zero.  Since  the  determinant  of  T is  a Vandermonde 
determinant,  it  can  be  evaluated  as 


iTi  = n <ri- Tj) 

j<i 


since  the  tS  s are  all  distinct. 

a = T'1  A , 


„-l 


Thus  T”  exists  and  (7)  can  be  solved  as 


the  inverse  "transform.1 


4 


Next  let  us  impose  on  (7)  the  constraint  that  it  can  be  used  to  compute  circular  convolution 

s of  sequences  a and  b , 
n 1 n n 


d-1 

S = V a b,  , . 
n ^ k (n-k) 

k=0 


(9) 


where  (n  k)  is  the  residue  of  (n  k)  modulo  d.  One  wants  the  transform  of  S^f  namely,  S to 
be  given  by 


"s  (Tj)' 

~A(7x)  • B(t  1)" 

S(r2) 

A (t2)  • B(t2) 

s = 

= 

S(rd)^ 

_A(rd)  . B(rd)_ 

Kquating  components 

S(rk)  = 

A(r^)  B(TjJ  for  k = 1 

or 

d-1 

d-1  . 

d-1 

y 

n 

Q t — 

y 

Tab  rMm 

L 

n k 

Li 

Lt  9 niTk 

n=0 

9=0  m=0 

Substituting  (9)  in  the  left  side, 

d-1 

d-1 

d-1  d-1 

y 

7 a 

b,  s 

n v V 

t,  = 'a 

u 

L p 

(n-p) 

k U u j 

n=0 

TD 

II 

O 

ii 

o 

3 

II 

O 

Next  if  one  substitutes  9 for  p and  m for  residue 

d-1 

d-1 

d-1  d-1 

V 

Y a 

- b r. 

(m +f)  y y 

Li 

Li 

9 m k lj  lj 

9=0 

m=0 

II 

o 

3 

II 

O 

= A ® B 


9 +m 
rk 


i 9 +m 
b r. 
m k 


Finally,  equating  coefficients  of  a^  b , one  gets 

(m  + O 9 + m 

Tk  ~ Tk 

for  (k,  9,  m = 0,  1,  2.  . . d — 1)  where  (m  + 9 ) is  the  residue  of  (m  + 9)  modulo  d. 

In  order  to  satisfy  ( 10),  suppose  m + 9 is  an  integer  r in  the  interval  d r < 2d,  then 

m + J?  = r=  d + (r) 

where  (r)  is  the  residue.  In  this  notation  (10)  becomes 
. (r)  _ _ d+(r)  _ d m ( r) 


(10) 


Tk  =rk 


= T,  ' T. 

k k 


(11) 


5 


/r\  j (r) 

Since  by  assumption  0,  the  inverse  element  [t^  ] in  GF(p  ) of  1 exists.  Multiplying 

both  sides  of  (11)  by  this  inverse  yields 


T 


for  k = 1,  2,  ...  d 


(12) 


That  is,  for  transform  (7)  to  yield  circular  convolutions,  must  be  a d^1  root  of  unity  for 
k = 1,  2,  ...  d in  GF(pn).  This  is  essentially  the  same  result  Agarwal  and  Burrus  got  in  Uef.  4 
for  the  circular  convolution  of  integer  sequences. 

Since  the  non-zero  elements  of  GF(pn)  form  a cyclic  group  of  order  pn  - 1,  the  truth  of  (12) 
for  an  element  T^€GF(pn)  implies  integer  d divides  pn  - 1.  That  is,  d | pn  1 if  transform  (7)  is 
to  yield  a circular  convolution.  Moreover,  since  the  set  of  elements  (r,  • . t^)  are  distinct  and 

are  all  d^1  roots  of  unity,  this  set  must  be  a cyclic  subgroup  of  the  cyclic  subgroup  of  the  non- 

n 2 d — 1 

zero  elements  of  GF(p  ).  Thus  the  set,  (t^,  . . . t^),  equals  the  subgroup  (a,  a , . . . a , 1)  = 

i*e- 


{tv  t2.  . . Td)  = {a,  aL 


d -1  -> 

a , 1)  = 


(13) 


in  some  order  where  aeGF(pn)  is  a generator  of  the  subgroup. 

2 d-1 

If  the  group  (p^  = (a,  a , . . . a , 1)  is  substituted  for  (t^,  • • t^)  in  transform  (7),  the 

transform  becomes 


d-1 

A,  = V a cv^n  for  (k  = 0,  1,  2,  . . . , d - 1 ) . (14) 

k n 

n=0 

To  invert  (14),  observe  first  that  all  elements  of  cp ^ satisfy  the  equation 

xd  — 1 = 0 
But  since  xd  — 1 factors  as 

d-1 

xd  - 1 = (x  - 1)  Yj  xk 
n=0 

one  has 

d-1 

Y x^  = 0 for  x^  1 and  X€<p^  Cl  GF(pn) 
k=0 

d-1 

Y - 1 + 1 +.  . . +1  = (d)  for  x = 1 (15) 

k=  0 d times 


where  (d)  denotes  the  residue  of  d modulo  p.  This  formula  is  given  by  Pollard  [Ref.  2,  Eq.  (8)) 
and  earlier  by  Reed  and  Solomon  [Ref.  3,  Eq.  (3)]. 

From  (15)  we  now  derive  the  discrete  " delta”  function  needed  to  invert  (14).  Consider  the 
sum  of  x11  over  all  the  elements  of  the  multiplicative  subgroup  <pd#  defined  by  (13).  This  is 

d-1  d-1 

Z xn=  V (/3k)n  = Z </3n)k  • 

xe<?d  k=0  k=0 


6 


But  this  is  in  the  form  of  (15)  and  pn  is  an  element  of  (p  , thus 

d-1 


T.  Xn  = y (/3n)k  =0  for  n # 0 Mod  d 


X€(P 


k=0 


= (d)  for  n = 0 Mod  d 


= (d)  6d(n) 


(16) 


where  <5^(n)  is  the  delta  function 

<5d(n)  = 0 for  n ^ 0 Mod  d 

= 1 for  n e 0 Mod  d 

Since  (d)  is  an  element  of  field  GF(pn),  the  inverse  (d)  * exists  in  GF(pn).  Now,  multiply 
by  (d)  1 cv  and  sum  on  k for  (k  = 0,  1,  2,  . . . d — 1 ).  This  yields  by  (14)  and  (16), 

d-1  d-1  d-1 

, ,,  - 1 v a -km  , -1  v V kn  -km 

(d)  >,  Aka  = (d)  L,  L,  ano  a 

k=0  k=0  n=0 


d-1  /d-1  ^ 

-1  v / v _k(n-m) 


d-1 


= (d>’  E an(  E Q 

n=0  \k~  0 


= (df 1 (d)  £ an6d(n-m) 

n=0 


Thus, 


d-1 

A.  = y a n 
k u n 

n=0 


kn 


and 


d-1 

-1  V a -kn 


an=<d)-  E Aka 

k=0 


(17) 


where  a^  and  A^  are  elements  of  GF(pn)  and  a is  a generator  of  d element  subgroup  6^,  the 
multiplicative  subgroup  of  GF(pn). 

To  show  the  circular  convolution  property  of  (17),  let 


d-1 

a V kn 

A,  = > a a 

k Li  n 

n=0 


d-1 

B,  = Y b a 
k u n 

m=0 


km 


and 


S = Ak  • Bk 


7 


Then  by  (17)  the  inverse  transform  of  for  (k  = 0,  1,  . . . , d — 1)  is 

d- 1 d-1  d -1  d-1 

, ,x-l  v r-  -kp  /JX-1  V V V i k(m+n-p) 
(d)  ' C . c*  K = (d)  N / N a b oi  ^ 

Li  k lj  Lj  n m 

k=0  k=0  n=0  m = 0 


d-1 

d-1 

d-1 

y 

y 

a b V 

n m ^ 

m=0 

3 

II 

O 

k=0 

k(m+n-p) 
cv  K 


d-1  d-1 


d-1 


= V \ a b 6 An  + n - p)  = V a b,  x 

^ ^ n m d M ^n  (p-n) 

n=  0 m~  0 n=  0 


(18) 


where  (p  — n)  denotes  the  residue  of  (p  — n)  modulo  d. 

The  result,  given  by  (18),  shows  finally  that  the  imposition  of  condition  (12)  on  t he  trans- 
form, given  by  (7),  is  both  necessary  and  sufficient  for  transform  (7)  to  yield  circular  convolu- 
tions. This  generalizes  a similar  result,  given  by  Agarwal  and  Burrus  in  Ref.  4,  for  the  field 
of  eomplex  numbers  to  all  fields  both  finite  and  infinite.  In  the  next  section,  we  show  how  to 
restrict  the  finite  field  transform,  given  by  (17),  so  that  it  yields  circular  convolutions  over 
both  the  integers  and  complex  integers. 


III.  INTEGER  ARITHMETIC  PRESERVING  FINITE  FIELD  TRANSFORMS 

Suppose  a is  an  integer  of  magnitude  less  than  or  equal  (p  — l)/2  where  p is  a prime.  Then 
integer  a satisfies 

-[(p  - 1)/2K  a « (p  - l)/2  . 

If  a > 0,  a is  the  residue  modulo  p.  If  a = — b where  b > 0,  then 
a = p — b Mod  p 
Thus  the  set  of  positive  integers 

{-  2^-i -2,  -1,  0,  1,  2 H_j} 

corresponds  in  a one-to-one  manner  with  the  following  set  of  residues  modulo  p, 

{(P-^) p-2,p-l,0,  1,2,  ...2^}  . 

Since  the  latter  set  exhausts  all  residues  modulo  p,  this  set  uniquely  represents  the  set  of  all 
positive  and  negative  real  integers  of  magnitude  less  than  or  equal  to  (p  l)/2,  namely,  the  set 
{ x | |x|^  (p  — l)/2},  x a positive  or  negative  integer.  However,  the  set  of  residues  modulo  p 
composes  precisely  the  Galois  or  finite  field  GF(p),  hence  the  above  correspondence  maps  the 
set  of  integers  less  than  or  equal  to  (p  — l)/2  onto  GF(p)  in  a one-to-one  manner. 

In  order  to  earry  out  arithmetic  operations  in  GF(p)  whieh  arrive  at  the  eorreet  arithmetic 
answer,  one  must  often  restrict  the  operating  ranges  of  the  integer  variables  even  further.  For 
example,  to  compute  the  circular  convolution  (18)  in  GF(p)  where  an  and  bn  are  integers,  one 
requires  the  final  convolution  to  lie  in  the  same  " dynamie  range"  as  the  integers  a^  and  b^. 

That  is,  in  order  to  avoid  ambiguity 
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d-1 


an%-n)^ 


n=0 


or  its  equivalent 


d-1 

N a b,  x 
n (p-n) 

n=0 


< P -1 
* TT 


(19) 


Since 


d-1 

Y.  a b, 
u n (p- 


n=0 


(p-n) 


d-1 


< 2 i“»l  l»,P-»,l 


n=0 


where  equality  holds,  if  a^  and  are  positive  integers,  to  satisfy  (19)  for  all  sequences  a^  and 

b such  that  |a  I ^ A and  lb  I < B,  it  is  necessary  that 
n n 1 n 1 ^ 


d-1 


£ (Max  |an|)  [Max  |b(b_n)  | ] = dAB  < 


(20) 


n=0 


A and  B are  the  dynamic  or  operating  ranges  of  integers,  | a^ | and  |bn|,  respectively.  If  A - B, 


then  by  (2  0)  the  largest  value  of  A is  given  by 


-\M 


(21) 


where  [x]  denotes  greatest  integer  less  than  x,  what  is  often  called  the  principle  part  of  x. 
Assuming  (21),  which  for  many  practical  applications  is  somewhat  pessimistic,  one  would  need 


to  constrain  a and  b to  the  interval, 
n n 


A - -!VE2irh  an’bn<  l^?|-  A 


(22) 


in  order  to  compute  the  circular  convolution 


d-1 

C = V a b,  x 
p u n (p-n) 

n=0 


(23) 


unambiguously  with  modulo  p arithmetic,  i.e.,  keep  c^  in  the  interval 

P -1  ^ . P -1 

Z~  ^ cn  ^ 2 * 


To  compute  convolution  (2  3)  when  a^  and  b^  are  integers  in  a Galois  field  with  transforms 
of  the  type  suggested  by  Rader  [Eq.  (1)],  one  must  first  represent  the  integers  in  such  a field. 

To  preserve  the  arithmetic  operations  of  addition  and  multiplication,  the  representation  must 
necessarily  be  restricted  to  GF(p)  in  the  manner  shown  above.  However,  GF(p)  is  a subfield 
of  GF(pn);  in  fact,  the  ground  field  of  GF(pn)  for  all  n (n  = 1,  2,  3,  ...  ).  Thus,  convolution  (23) 
can  be  performed  with  transforms  of  type  (17)  on  a Galois  field  GF(pn)  if  a^  and  b^  are  restricted 
to  GF  (p).  In  others  words,  if  a^,  b^eGFfp)  for  (n  = 0,  1,  2,  ...  d — 1)  and  the  transforms  are 


d-1 

A,  = Y a cvkn  and 
k n 

n=0 


d-1 

Bk  = Yj  an°/kn  for  (k  = 0,  1,  ...  d - 1) 
n=0 


9 


where  a is  a generator  of  a d-element  subgroup  (p ^ of  [GF(pn)  — 0],  then  the  d-point  convolution 
d-1 

C = y,  a b,  x 
P u n (p-n) 

n=0 

if  integers  and  is  found  by  forming 

CR  = Ak  • Bk  for  (k  = 0,  1 d - 1) 


and  then  taking  the  inverse  transform 


C 


(d) 


d-1 

-t  y 

wi 

k=0 


Ck° 


-kn 


If  an  a ean  be  found  so  that  multiplications  by  powers  of  a are  simple  in  hardware,  the  above 
extension  might  be  useful  in  increasing  the  number  of  possible  points  in  the  convolution.  This 
follows  from  the  faet  that  d is  a divisor  of  pn  — 1 and  the  number  of  divisors  of  pn  - 1 is  always 
greater  than  the  number  of  divisors  of  p — 1. 

In  applications  to  radar  and  communications  systems,  one  generally  wants  to  take  convolu- 
tions of  eomplex  numbers.  Towards  this  end  set  a = o + i/3  and  b = x + iy  where  cx  . B . x . 

^ n n n n n Jn  n n*  n 

and  yn  are  integers,  suitably  restricted  in  GF(P)  so  that  the  real  and  imaginary  parts  of 


d-1 

C = ^ a b.  =y+i6 

p n (p-n)  'n  n 

n=  0 


(24) 


lie  in  the  interval  — [(p  — l)/2]  ^ y , 


ab  = o x — /3  y 
n n n n mn 


6n<  (p  - l)/2  for  (n  = 0,  1, d-1) 

+ i(cv  y + /3  X ) 
mn  n n 


Thus  one  needs  four  transforms.  A,  , B.  , X.  , and  Y,  of  a , /3  , x , and  y , respectively,  as 
k k k k n n n Jn  ^ J 

well  as  four  inverse  transforms  of  the  products. 


A.  X,  ,B,  Y.  , A.  Y,  , B.  X. 
k k k k k k k k 


(25) 


to  find  (24),  the  eireular  convolution  of  eomplex  integers.  It  is  of  interest  to  note  that,  for 
certain  prime  numbers  q,  this  computational  requirement  ean  be  redueed  from  four  to  two 
Rader-type  transforms. 

To  aehieve  this,  prime  q must  be  sueh  that 

x2  = -1  Mod  q (26) 


is  not  solvable.  But  the  non-solvability  of  (26)  is  the  same  as  the  statement, 
nonresidue  (Ref.  5,  p.  82).  This  is  further  equivalent  to 


(q-l)/2 


where  (a/q)  is  the  Legendre  symbol,  defined  by 


( 1)  is  a quadratic 


— - = +1  if  a is  quadratic  residue  Mod  q 


= - 1 if  a is  quadratic  nonresidue  Mod  q. 
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There  are  two  important  special  eases. 

Case  I. 

Mersenne  primes  of  form  =2^  — 1 where  p is  prime.  For  this  case 


W=  ( 


( M -1 )/2 


1) 


= (-1) 


(2P-2)/2 


= (-1) 


(2P_1  -1)  _ 


Thus  (-1)  is  a quadratic  nonresidue  and  (26)  is  not  solvable,  modulo  M^. 
Case  II. 

2m 

Fermat  primes  of  form  F =2  +1  for  1 < m ^ 4.  For  this  case 

r m 


(f1)- 

' m • 


(-D 


(F  -D/2 


>m-l 


= (-D 


+ 1 


Thus  (—1)  is  a quadratic  residue  modulo  F and  (26)  is  solvable. 

m 

If  (26)  is  not  solvable,  which  is  true  when  q is  a Mersenne  prime  =2^  — 1,  then 
polynomial 

P(x)  = x^  + 1 

is  irreducible  in  GF(q).  By  the  procedure  of  the  last  section  (see  Example  1)  a root,  say  i,  of 


P(x)  = x +1  = 0 

2 2 

can  be  found  in  the  extension  field  GF(q  ).  GF(q  ) is  composed  of  the  set 

GF(q2)  = {a  + ib|  a,  beGF(q)} 
where  i is  a root  of  (27),  satisfying 

i2  = i 


(27) 


(28) 


(29) 


where  —1  = ( q — 1 ) Mod  q. 

Evidently  i plays  a similar  role  over  the  finite  field  GF(q)  that  — 1 = i plays  over  the  field 

^ 2 

of  rational  numbers.  For  example,  suppose  a + ib  and  c + id  are  elements  of  GF(q  ),  then  by  (29) 
(a  + ib)  ± (c  + id)  = (a  ± e)  + i (b  ± d) 

and 

~ ~ ~ 2 
(a  + ib)  (c  + id)  = ac  + i bd  + ibc  + lad 

= ac  — bd  + i(bc  + ad) 

the  exact  analogues  of  what  one  might  expect  if  a + ib  and  c + id  were  complex  numbers.  Thus 
if  —1  is  a quadratic  nonresidue  mod  q,  then  the  circular  convolution  (24)  of  the  complex  integers, 
an  and  b^,  can  be  computed,  using  only  two  inverse  transforms  on  the  terms 

Akxk-Bkyk'AkYk  + Bkxk 


defined  in  (25). 
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In  the  next  seetion  we  will  show  how  the  transforms,  developed  by  Rader  for  prime  fields 

and  extended  here  to  Galois  fields,  can  be  extended  further  to  rings,  formed  from  these  fields. 

Before  doing  this,  however,  it  is  of  some  independent  interest  to  demonstrate  one  property 

2 

of  the  Galois  field  GF(q  ) whieh  the  field  of  complex  rational  numbers  does  not  have.  If 
x = a + ibeGF(q  ),  x 0,  then 

xq  = (a  + ib)^  = 1 

A true  complex  number  does  not  have  this  property. 

To  prove  this,  use  the  binomial  theorem 

2 ^ 2 2 

/ -1  V / q -1  \ ,+,*k  q -1-k 

(a  + ibp  k = ( k ) (lb)  a 

k=0  ' 


But 

1 = (a^  + * and  a^  1 = 1 Mod  q 

so  that 

q2-l 

a4  =1  Mod  q 
Also  the  binomial  coefficient  is 

/q2-l\  _ (q2  1)  (q2  -2).  ..  (qz  -k) 

\ k ) 2 • 3. . . k 

[ q(q  1)  + (q  -D]  [q(q  — 1)  + (q  — 2)].  . . [q(q  - 1)  + (q  k)] 
1 • 2 • 3.  7TK  — ' 

_ (q  1)  (q  2) . . . (q  - k)  (-1)  (-2).  . . (-  k) 

T -"2  • 3. . . k = 1 • 2.  . . k 


Thus 


Iloweve  r, 


= (-  l)k  Mod  q 


2 q -1 

(a  + ib)q  _1  = £ <-l)k(ib/a)k 

k=  1 

2 

1 - ( ib/a)q 
1 + ib/a 


• q2-i? 


,^q-l.  q+1  * 
l = (l^  P i 


= [(-1) 


(q-l)/2 


q + 1 

i = ( 


-1 

q 


q + l 

) i 
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where  (^)  is  the  Legendre  symbol.  But  by  assumption  (—1)  is  a quadratic  nonresidue  and 
(— -)  1.  Hence, 

2 


so  that  finally 


2 

(a  + ib)q 


-1 


2 

1 + i (b/a)q 
i 4 ib/a 


1 + ib/a  _ t 
1 + ib/a 


We  see  above  that  the  Mersenne  primes  have  an  advantage  over  the  Fermat  primes 
in  the  computation  of  convolutions  of  complex  integers.  However,  as  Rader  points  out  in  Ref.  1, 
this  advantage  must  be  weighed  against  the  fact  that  the  fast  Fourier  transform  (FFT)  algorithm 
can  be  applied  to  the  transforms,  using  Fermat  primes,  but  not  to  the  Mersenne  primes. 


IV.  TRANSFORMS  IN  MODULAR  ARITHMETIC  AND  MODULO  m RINGS 


A transform  in  the  ring  of  integers  modulo  m was  considered  by  Pollard  in  Ref.  2.  It  is 
well  known^  that  the  set  of  integers  modulo  m is  a ring  R^  with  respect  to  addition  and  multi- 
plication modulo  m. 

Pollard  considered  first  rings  where  m was  a power  of  a prime  p,  namely,  m = pn,  p > 0. 

He  let  R*  denote  the  set  of  elements  of  R prime  to  m,  i.e., 
m m r 

R*  = {acR  I (a,  m)  = l} 
m m1 


where  (a,  m)  denotes  the  greatest  common  divisor  of  integers  a and  m. 
By  Euler’s  theorem  (Ref.  5,  p.  48),  if  (a,  m)  = 1 


a^im)  _ ^ Mod  m 


(30) 


where  <p(m)  denotes  the  number  of  divisors  of  m less  than  or  equal  to  m,  Euler's  function. 
Thus,  since  1 is  the  multiplicative  identity  of  R , then 


a*(m)  = l 


(31) 


for  all  acR*  . 

m 

The  order  of  an  element  a in  R^  (called  the  exponent  of  a in  number  theory)  is  the  least 
power  e(a)  such  that 

ae(a)  = 1 . 

Also,  if  m = pn  the  number  of  elements  in  R prime  to  m is 
^ m 

<?(m)  = pn  - p = pn  1(p  - 1) 

n —1  i n— 1 

Thus  by  (31)  the  order  of  each  element  aeR^  divides  <p(m)  = p (p  — 1 ),  i.e.,  e(a)|p  (p  — 1) 
all  aeR*  . 

m n-l 

It  is  well  known  (Ref.  5,  p.  107)  that  an  element  geR£^  ean  t>e  found  such  that  e(g)  = p (p  1). 

g is  called  a primitive  root  since 
g^(m)  = i Mod  m 
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and  <p(m)  = e(g)  the  order  or  exponent  with  g belongs  to  modulo  m.  The  powers  of  g,  that  is 
the  set 


G=  |g,g2,...gpn'1(p-1)| 
are  all  distinct.  Suppose  otherwise  that 


k t 
g = g 


k > t 


where 


then 


k f ~ 

g . g 


k pn_1(p-l)-f  k-t 
g ' g = g =1 


n - 1 

But  k f < p (p  1)  = e(g)  which  is  contrary  to  the  assumption  that  g is  a primitive  root. 

Hence  the  elements  of  G are  distinct.  Since  the  elements  of  G are  prime  to  m = pn  and  since 

G has  the  same  number  of  elements  as  R*  , 

m 


G = R* 
m 


n-1 , 


Thus  R^  is  a cyclic  multiplication  group  of  p (p  — 1)  elements  with  generator  g. 

Pollard  next  chooses  a divisor  d of  p — 1 and  considers  an  element  reR*  of  order  d,  i.e., 

i m 

Q flje 

d is  the  smallest  integer  for  which  r =1.  The  powers  of  r compose  a subgroup  G^  of  R , 


n i a ^ d-B 

G j = ( 1 , r,  r , . . . r ) 


He  next  shows  that  the  equivalent  of  (16)  holds  when  cp  ^ is  replaced  by  G^.  That  is,  if  d|p  — 1, 


d-1 


£ Xm  = Yt  (rm)k  = 0 for  m # 0 Mod  d 


XeG , 


k=0 


= (d)  for  m = 0 Mod  d 


= (d)  6d(m) 


(32) 


where  <5  ,(m)  is  the  delta  function 
d 


6 (m)  = 0 for  m 0 Mod  d 


= 1 for  m = Mod  d 


and  where  (d)  is  d modulo  p . 

To  prove  this,  consider  first  the  following  cyclic  subgroup  of  R^ 


?p-\  (gP-V.-.-fgP-V 


n-1 , 


= G 


n-1 


(33) 


of  pn  * elements.  By  Fermat's  theorem  [Eq.  (31)  for  m a prime),  an  element  ^k  of  G ^ 


satisfies 


(gp  j)k  = lk  = Mod  p . 
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However,  if  we  consider  an  arbitrary  element  of  subgroup, 


P-1 


n-1 

/ n-l\2 

/ nn_1\ 

, P ~ 1 

gP  . 1 

(Ep  ).... 

V ] 

) 

(34) 

modulo  p,  then 


n-1 


n-1, 
,P  k 


, |(  ...  ((g,P)P  ..)P|k. 


p| k k , 

= g Mod  p 


(35) 


Since  integers  p — 1 and  pn  * arc  relatively  prime,  i.e.,  (p  — 1,  pn  *)  = 1,  the  subgroups  G 


n-1 


and  in  (33)  and  (34),  respectively,  have  only  the  unit  element,  1,  in  common.  Also  by  (33) 

and  (34)  every  element  of  R*  is  to  be  found  in  the  product  of  G . and  G . . Hence  R*  is 
J m n-1  p-1  m 

P 

the  direct  product  of  these  two  subgroups,  i.e.. 


R*  = G , X G , 
m p-1  n-1 

P 

Thus  the  only  elements  of  R^  whieh  are  not  congruent  to  1 modulo  p are  the  complement  of 

G . and  hence  in  G ,. 
n-1  p-1 

P y 

Let  h be  a primitive  root  modulo  p,  i.e.,  h is  an  integer  1 < h<  p — 1 such  that  p 1 is 
the  least  integer  for  which 

hP_1  = 1 Mod  p 

Then  it  can  be  shown  (see  Ref.  5,  p.  107)  that  a primitive  root  g modulo  pn  can  always  be  found 
of  form 

g = h + pp 

where  j i is  an  integer.  From  this 

g^  = (h  + pp)^  = h^  Mod  p 
where  1 < h^  p — 1.  With  (35)  this  yields 
n-1, 


gr 


k = hk  Mod  p 


Since  h is  a primitive  root  modulo  p,  it  generates  the  p-1  element  group  <p 


p-1 


(36) 

of  the  non-zero 


elements  of  Rp  = GF(p).  (36)  maps  the  elements  of  G^  ^ onto  ^ in  one-to-one  manner.  Since 
Mod  p,  this  mapping  is  in  fact  an  isomorphism  between  groups  G ^ and  <p  y 


n-1,,  „ , 

p (k+f  ) 


g 

i.e.,  G 


= h 


k+l 


p-1  *p-l’ 

By  (36)  if  some  element  of  G^  ^ was  congruent  to  1 modulo  p,  then 

n-1  . 

= h = 1 Mod  p 

Since  h is  primitive  this  is  possible  if  and  only  if  k is  a multiple  of  p — 1.  Thus  none  of  the 
elements  of  G^  ^ is  congruent  to  1 modulo  p,  exeept  the  unit  element  1.  Since  d|p  - 1,  G^  is  a 
cyclic  subgroup  of  G^  y and  likewise  no  element  x,  x 1,  of  G^  is  congruent  to  1 modulo  p. 
Now  for  m 0 Mod  d 


d-i 

( Z ^ 

' k=0 


. m . . . dvm 

(r  - 1)  = (r  ) - 


1 = (l)m  -1  = 0 Mod  pn 


(37) 
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where  r is  a generator  of  G^.  From  the  above,  if  m ^ 0 Mod  d, 
rm  ^ 1 Mod  p 

Thus,  the  integer  rm  — 1 and  p are  relatively  prime  (rm  1,  p)  = 1.  But  this  in  turn  implies 
(rm  1,  pn)  = 1 for  (m  = 1 , 2,  . . . , d — 1 ).  Thus 

d- 1 

V , rmk  r\  * l n 
2j  (r  ) =0  Mod  p 

k=0 

for  all  m ^ 0 Mod  d and  (32)  is  proved.  This  is  essentially  the  result  proved  by  Pollard  in 

nl  nt 

Ref.  2.  Pollard  states  that  more  generally  one  can  find  a d-point  transform  for  m = p^  * • ♦ Pt 
if  d | (p.  — 1 ) for  all  i (i  = 1 , . . . , t)  and  d is  the  order  Mod  m. 

Bonneau  in  Ref.  6 has  proved  a converse  of  Pollard's  result  whieh  we  restate  and  prove  here 
in  our  terminology. 


Theorem . 

nl  nt  , 

If  Rm  has  a d-point  transform  and  m = p^  . . . pt  , m odd,  then  d | p^  1 for  all  i and  there 

exists  an  element  rcR  sueh  that  r is  of  order  d in  R n.  for  all  i. 

m p.  i 

Proof. 


Since  Rm  has  a d-point  transform,  the  delta  function,  given  by  (32),  must  exist  where  here 

nl  nt  -1 

m - . For  the  inverse  transform  to  exist  the  inverse  (d)  of  (d),  the  residue  of  d 

Mod  m must  exist.  To  find  this  inverse  it  is  necessary  the  (d,  m)  = 1;  d and  m are  relatively 

prime.  But  this  implies  (d,  p^)  = 1 for  each  i (i  = 1,Z,  ...  t). 

Consider  the  mapping  4 of  ring  R on  to  the  direct  product  of  rings,  R n-,  R n?,  . . . R nt, 

m P^  1 P^  c P^  1 

i.e.. 


4 : R 


t 

n 

1=1 


R n. 
P;  1 


which  explicitly  is 


/ ^1  n2  ^t  \ 

4 (x)  = (x  Mod  p^  , x Mod  p^  , . . . x Mod  p^  ) 


(38) 


where  xeR^.  By  the  Chinese  remainder  theorem  (Ref.  7,  pp.  94-95),  ^(x)  is  a one-to-one 

mapping.  Since  j/-(x  + y)  = ^(x)  4-  4 (y)  and  ^(x y)  = ^(x)  • ip( y),  j^(x)  maps  ring  R onto  ring  7rR  n. 

m Pf  i 

isomorphically. 

The  set  R^  of  elements  relatively  prime  to  m is  an  Abelian  group.  4' (x)  maps  group  R^ 

onto  the  direct  product  of  cyclic  groups  R*  n.,  isomorphically.  That  is, 

P i ^ 


R* 

m 


- n 


i=l 


R*  n. 
P*  i 


(39) 


The  order  of  R*^  in  the  isomorphism  (39)  is  the  number  of  elements  relatively  prime  to  m, 
namely  the  number. 
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<P( m)  = []  (pt  - 1)  pt 
i=l 


i-1 


whereas  the  number  of  elements  in  the  cyclic  group  R*  n.  is 

^i 


’(pil)  = ^i-1’  pi 


n-  A 

1-1 


In  order  to  have  the  delta  function  (32),  an  element  reR  of  order  d must  exist,  i.e., 

m 

rd  = 1 . 

Since  r • r^  * = 1,  the  inverse  of  r exists  and  equals  r^  But  by  an  elementary  theorem  on 
congruences  such  an  inverse  exists  if  and  only  if  (r,  m)  = 1.  This  implies  reR^.  Since  the 
order  of  an  element  of  a group  divides  the  order  of  the  group,  d|<p(m)  or 


n <Pi  - *)  Pi 

i=  1 


i-1 


(40) 


But  by  an  argument  above  (d,  p.)  = 1 for  all  i.  This  with  (40)  yields 


n (Pi.i) 

i=  1 


In  order  to  have  a delta  function  it  is  necessary  that  sum  s^  satisfy. 


d-1 


S = V (rm)k  = 0 Mod 
m Lj  ' 


k=0 


for  (m  = 1,  2,  . . . , d — 1).  Since  m = 7rp^  1 and  the  pL  1 are  all  relatively  prime,  then 
d_1 

Sm  = E e01)  5 0 Mod  Pi  1 

k=0 


(41) 


for  (i  = 1,  2,  ...  t)  and  (m  = 1,  2,  . . . , d - 1). 

Now  mapping  tp{x)  in  (38)  sends  reR*^  into  the  following  vector 

/ ni  n2  nt\ 

ip(r)  = fr  Mod  p , r Mod  p^  , . . . r Mod  p^  ) 


= (rrr2. 


rt> 


where  r.  denotes  the  residue  of  r in  R*  n..  Consider  now  the  order  of  r.  in  R*  n..  Let  this 
i , p.  i i p.  i 

d.  i i 

order  be  d so  that  r.  1 = 1.  Evidently  d.  must  at  least  divide  d so  that  d.  ^ d. 
li  J l l 


Now  suppose  d.  < d.  Then 


d-1 


d-1 


i\k 


2 W) 

k=0 


d. 


d times 


2 (r ‘)k  5 JTT7-T-,  , 


d Mod  p 


n. 

l 


k=0 
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But,  a previous  argument  above,  (d,  p.)  = 1 for  i = 1,  2,  ...  t.  Thus  (41)  for  m = d^  satisfies 

n. 

s,  = d # 0 Mod  p.  1 
d . 1 

L 

This  is  a contradiction  to  (41).  Thus  the  "projection"  r.  of  r in  Rp  n.  has  order  d for 

i = 1,  2,  ...  t.  But  again  since  the  order  of  an  clement  divides  the  order  of  the  group, 

n.-l 

d | (p£  - 1) 

for  all  i (i  = 1,  2,  ...t).  Finally,  since  d and  p.  are  relatively  prime,  all  i,  d | ( p ^ 1)  for 

(i  = 1,2,..  .t).  This  proves  the  converse  of  Pollard's  theorem. 

The  mapping  ip(x)  given  by  (38)  represents  an  integer  modulo  m as  a vector  of  residues  of 
relatively  prime  moduli.  The  arithmetic  associated  with  this  representation  has  come  to  be 
known  as  modular  arithmetic.  Also  the  rings  associated  with  the  mapping  ip(x)  in  (38)  are  called 
modular  arithmetic  rings.  Hence  it  is  reasonable  to  call  transforms  of  type  (1),  which  are 
mapped  by  ip{x)  into  a modular  arithmetic  ring,  modular  arithmetic  transforms. 
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